0

Escaping HTML in various ZK elements [closed]

asked 2011-11-22 11:15:48 +0800

guilty gravatar image guilty
9

Hi,

say we such a zul:

<?init class="org.zkoss.zkplus.databind.AnnotateDataBinderInit" ?>

<zk xmlns:w="http://www.zkoss.org/2005/zk/client" xmlns:h="http://www.w3.org/1999/xhtml">
    <div id="fooDiv" apply="FooController">
    	<variables controller="${fooDiv$composer}" />
    	
		<label id="fooLabel" value="@{controller.value}" tooltiptext="@{controller.value}" />
    </div>
	
</zk>

controller.getValue() returns such string:

foobar"><script>alert("Hi!")</script><!--

Now on to the problem:
page does not display anything. It is a plain white page. Here's what the browser gets:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Pragma" content="no-cache" />
<meta http-equiv="Expires" content="-1" />
<title></title>

<link rel="stylesheet" type="text/css" href="/dvs/zkau/web/9035d664/zul/css/zk.wcs"/>
<link rel="stylesheet" type="text/css" href="/dvs/zkau/web/9035d664/css/commons.wcs"/>
<link rel="stylesheet" type="text/css" href="/dvs/zkau/web/9035d664/styles/default.css"/>
<link rel="stylesheet" type="text/css" href="/dvs/zkau/web/9035d664/styles/override_default.css"/>

<script type="text/javascript" src="/dvs/zkau/web/9035d664/js/zk.wpd" charset="UTF-8">
</script>
<script type="text/javascript" src="/dvs/zkau/web/9035d664/js/zul.lang.wpd" charset="UTF-8">
</script>
<!-- ZK 5.0.7 EE 2011051111 Evaluation Only -->
<script type="text/javascript">zkopt({ppos:'center'});</script></head>
<body>
<div id="jN1Q_" class="z-temp"></div>
<script type="text/javascript">zkmx(
[0,'jN1Q_',{dt:'z_h1u',cu:'/dvs',uu:'/dvs/zkau',ru:'/foo.zul'},[
['zul.wgt.Div','jN1Q0',{id:'fooDiv',prolog:'\n    '},[
['zul.wgt.Label','jN1Q1',{id:'fooLabel',tooltiptext:'foobar"><script>alert("Hi!")<\/script><!--',prolog:'\n    \t\n\t\t',value:'foobar"><script>alert("Hi!")<\/script><!--'},[]],
['zul.wgt.Button','jN1Q2',{id:'fooButton',$onClick:true,prolog:'\n\t\t',label:'Set Tooltip'},[]]]]]]);
</script>
<noscript>
<div class="noscript"><p>Sorry, JavaScript must be enabled.<br/>Change your browser options, then <a href="">try again</a>.</p></div>
</noscript>

</body>
</html>

Now, if we remove the tooltiptext attribute from zul, label renders correctly.

</script> tag seems to get escaped, but quotes doesn't. I'm not sure if it should be like that.

Is this a bug? Should I report it as a bug?

If it's not, are there any suggestions on how to fix this behaviour? Manually escaping every string is not really an option.
Also, I checked that both value and tooltiptext attributes get through the same escaping routine.

delete flag offensive retag edit

The question has been closed for the following reason "the question is answered, right answer was accepted" by sjoshi
close date 2013-02-28 06:32:45

1 Reply

Sort by ยป oldest newest

answered 2011-11-27 17:10:49 +0800

benbai gravatar image benbai
2228 6
http://www.zkoss.org

Hi guilty,

I think this is not a bug, it should be escaped,
please refer to Cross-site scripting for more information.

If you want create script dynamically, you may use Executions.createComponentsDirectly,
please refer to the simple sample below

ZKFiddle-Link

TestComposer.java
package j1r3i24r$v1;


import org.zkoss.zk.ui.Executions;
import org.zkoss.zk.ui.util.GenericForwardComposer;
import org.zkoss.zul.Button;
import org.zkoss.zul.Div;
import org.zkoss.zul.Textbox;

public class TestComposer extends GenericForwardComposer {
Button btn;
Div div;
Textbox tb;

public void onClick$btn () {
Executions.createComponentsDirectly("<script>"+tb.getValue()+"</script>", null, div, null);
div.invalidate();
}
}


index.zul
<zk>
<window apply="j1r3i24r$v1.TestComposer">
<div id="div" />
<textbox id="tb" rows="3" value="input any script you want here"></textbox>
<div />
<button id="btn" label="click me to execute the script above"></button>
</window>
</zk>

What is the different? If script not get escaped in simple binding way,
you may be attacked unexpected.
But the createComponentsDirectly is under your control,
you may do the checking or encoding as need or just keep it in private usage.

Regards,
ben

link publish delete flag offensive edit

Question tools

Follow

RSS

Stats

Asked: 2011-11-22 11:15:48 +0800

Seen: 413 times

Last updated: Nov 27 '11

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More